Code Red prepares for second wave

TimEaton

SAN FRANCISCO (CBS.MW) -- The Code Red worm is likely to start spreading again Tuesday at 8 p.m. ET and may have "mutated so that it may be even more dangerous," said the FBI.

Code Red attacks and overloads vulnerable systems -- and perhaps eventually segments of the Internet -- with self-replicating traffic that could hobble online businesses in coming weeks. The worm first disrupted U.S. government Web sites last week.

Effects could include a worldwide disruption of electronic commerce, e-mail and online entertainment, said the FBI in a joint statement with six other organizations, including Microsoft and several industry groups.

"I think the biggest effect is likely to be on small to midsize businesses because those are the ones that are least likely to have fixed their software," said Paul Gillin, editor in chief of searchSecurity.com, an online Internet security web site. "They are also more likely to be users of IIS servers - Internet Information Server - which is the software that is targeted by the worm. Large corporations or anybody running a large corporate Web server knows about this problem and had fixed it. "

Code Red, reportedly named for a favorite soft drink of computer programmers, first appeared July 19, when it infected more than 250,000 systems in just nine hours.

Since mid-July, the worm infected 500,000 servers, said Sal Viveros, director of the Anti-Virus Emergency Response Team at McAfee.

"The real threat is that the Internet is just going to slow to a crawl, " said Viveros. "With the number of incidents out there, the chances of the Internet slowing a bit are pretty good."

Code Red is designed to choke Web sites, not cause file or hard-drive damage like a virus. This makes it unlike the Naked Wife virus that surfaced in March or the August 2000 Pokey virus, which crippled operating systems and other vital files. The Code Red worm scans the Internet searching for exposed systems in which to install itself.

Each newly installed worm joins other previously introduced worms, causing the rate of scanning to grow rapidly, according to the FBI. The action of the scanning, if not remedied, will cause decreased speed of the Internet and sporadic - even widespread - outages among all types of systems. See Thom Calandra's StockWatch for more.

"The Code Red worm and mutations of the worm pose a continued and serious threat to Internet users," said the FBI, adding that "immediate action is required to combat this threat."

Security patch needed

The FBI and the other organizations recommend that computer users who run Microsoft Windows NT or Windows 2000 systems with Internet Information System Software install a security patch from Microsoft
MSFT, +1.57%
to close the loophole that creators of the virus targeted and exploited.

Besides degrading performance due to the scanning activity of this worm, Code Red can deface Web sites of infected systems.

CERT explains, "It is important to note that while the Code Red worm appears to merely deface Web pages on affected systems and attack other systems ... (it) effectively gives an attacker complete control of the victim system."

Some experts fear that end of the Code Red worm is not coming very soon, at least not until computer users and technicians decide to keep security systems updated with regular maintenance.

"Even sites who do everything correctly can be severely impacted when new vulnerabilities are discovered," Jeffrey Carpenter, manager of the CERT Coordination Center at Carnegie Mellon University, said in a statement. "The kinds of problems caused by Code Red will continue until vendors substantially reduce the number of vulnerabilities in their products in the first place."

One unfortunate aspect of the worm, according to Viveros at McAfee, is that it unfolds a well laid a roadmap for other hackers. He also said that the future generations can become even more malicious.

And those future online assaults always come.

"Anytime we see one of these attacks that is as successful or gets as much media attention as this one, we tend to see copycats," said Viveros.

To prepare for the unoriginal, yet spiteful hackers, Viveros said, "We have a team of over 90 researchers who go out and try to find the latest vulnerabilities as soon as they are created. So, we'll create a patch for it or find a fix for it, just like we did with this one."

But catching the villains is not always a simple task. Viveros said that most virus and worms are not caught. But he added the FBI and other federal agencies have been more active in this case than in others because Code Red initially targeted the White House.

Intraday Data provided by SIX Financial Information and subject to terms of use.
Historical and current end-of-day data provided by SIX Financial Information. Intraday data
delayed per exchange requirements. S&P/Dow Jones Indices (SM) from Dow Jones & Company, Inc.
All quotes are in local exchange time. Real time last sale data provided by NASDAQ. More
information on NASDAQ traded symbols and their current financial status. Intraday
data delayed 15 minutes for Nasdaq, and 20 minutes for other exchanges. S&P/Dow Jones Indices (SM)
from Dow Jones & Company, Inc. SEHK intraday data is provided by SIX Financial Information and is
at least 60-minutes delayed. All quotes are in local exchange time.